Python: Add modeling of tempfile module

RasmusWL · RasmusWL · commit cbd7434a7e5d · 2021-11-29T15:08:36.000+01:00
diff --git a/python/change-notes/2021-11-26-tempfile-file-access.md b/python/change-notes/2021-11-26-tempfile-file-access.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the `tempfile` module for creating temporary files and directories, such as the functions `tempfile.NamedTemporaryFile` and `tempfile.TemporaryDirectory`. The `suffix`, `prefix`, and `dir` arguments are all vulnerable to path-injection, and these are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -2637,6 +2637,116 @@ private module StdlibPrivate {
       nodeTo.(UrllibParseUrlsplitCall).getUrl() = nodeFrom
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // tempfile
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to `tempfile.mkstemp`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp
+   */
+  private class TempfileMkstempCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    TempfileMkstempCall() { this = API::moduleImport("tempfile").getMember("mkstemp").getACall() }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(0), this.getArgByName("suffix"), this.getArg(1), this.getArgByName("prefix"),
+          this.getArg(2), this.getArgByName("dir")
+        ]
+    }
+  }
+
+  /**
+   * A call to `tempfile.NamedTemporaryFile`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.NamedTemporaryFile
+   */
+  private class TempfileNamedTemporaryFileCall extends FileSystemAccess::Range,
+    DataFlow::CallCfgNode {
+    TempfileNamedTemporaryFileCall() {
+      this = API::moduleImport("tempfile").getMember("NamedTemporaryFile").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(4), this.getArgByName("suffix"), this.getArg(5), this.getArgByName("prefix"),
+          this.getArg(6), this.getArgByName("dir")
+        ]
+    }
+  }
+
+  /**
+   * A call to `tempfile.TemporaryFile`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.TemporaryFile
+   */
+  private class TempfileTemporaryFileCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    TempfileTemporaryFileCall() {
+      this = API::moduleImport("tempfile").getMember("TemporaryFile").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(4), this.getArgByName("suffix"), this.getArg(5), this.getArgByName("prefix"),
+          this.getArg(6), this.getArgByName("dir")
+        ]
+    }
+  }
+
+  /**
+   * A call to `tempfile.SpooledTemporaryFile`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.SpooledTemporaryFile
+   */
+  private class TempfileSpooledTemporaryFileCall extends FileSystemAccess::Range,
+    DataFlow::CallCfgNode {
+    TempfileSpooledTemporaryFileCall() {
+      this = API::moduleImport("tempfile").getMember("SpooledTemporaryFile").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(5), this.getArgByName("suffix"), this.getArg(6), this.getArgByName("prefix"),
+          this.getArg(7), this.getArgByName("dir")
+        ]
+    }
+  }
+
+  /**
+   * A call to `tempfile.mkdtemp`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp
+   */
+  private class TempfileMkdtempCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    TempfileMkdtempCall() { this = API::moduleImport("tempfile").getMember("mkdtemp").getACall() }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(0), this.getArgByName("suffix"), this.getArg(1), this.getArgByName("prefix"),
+          this.getArg(2), this.getArgByName("dir")
+        ]
+    }
+  }
+
+  /**
+   * A call to `tempfile.TemporaryDirectory`.
+   *
+   * See https://docs.python.org/3/library/tempfile.html#tempfile.TemporaryDirectory
+   */
+  private class TempfileTemporaryDirectoryCall extends FileSystemAccess::Range,
+    DataFlow::CallCfgNode {
+    TempfileTemporaryDirectoryCall() {
+      this = API::moduleImport("tempfile").getMember("TemporaryDirectory").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [
+          this.getArg(0), this.getArgByName("suffix"), this.getArg(1), this.getArgByName("prefix"),
+          this.getArg(2), this.getArgByName("dir")
+        ]
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -220,21 +220,21 @@ def test_fspath():
 
 # _mkstemp_inner does `_os.path.join(dir, pre + name + suf)`
 
-tempfile.mkstemp("suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.mkstemp(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.mkstemp("suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.mkstemp(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 
-tempfile.NamedTemporaryFile('w+b', -1, None, None, "suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.NamedTemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.NamedTemporaryFile('w+b', -1, None, None, "suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.NamedTemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 
-tempfile.TemporaryFile('w+b', -1, None, None, "suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.TemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.TemporaryFile('w+b', -1, None, None, "suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.TemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 
-tempfile.SpooledTemporaryFile(0, 'w+b', -1, None, None, "suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.SpooledTemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.SpooledTemporaryFile(0, 'w+b', -1, None, None, "suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.SpooledTemporaryFile(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 
 # mkdtemp does `_os.path.join(dir, prefix + name + suffix)`
-tempfile.mkdtemp("suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.mkdtemp(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.mkdtemp("suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.mkdtemp(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 
-tempfile.TemporaryDirectory("suffix", "prefix", "dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
-tempfile.TemporaryDirectory(suffix="suffix", prefix="prefix", dir="dir") # $ MISSING: getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.TemporaryDirectory("suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+tempfile.TemporaryDirectory(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Added modeling of the `tempfile` module for creating temporary files and directories, such as the functions `tempfile.NamedTemporaryFile` and `tempfile.TemporaryDirectory`. The `suffix`, `prefix`, and `dir` arguments are all vulnerable to path-injection, and these are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.